Lonnie Abelbeck wrote:
> Arno,
>> I think I have convinced myself that NAT_FORWARD will work to forward,
> otherwise denied traffic, to a local DMZ-IP address.
>> The problem is the NAT_FORWARD variable constantly needs to be adjusted
> when OPEN_, HOST_OPEN_ or other NAT_FORWARD_'s are changed. This now
> becomes a maintenance issue.
>> The idea is to have a single variable, possibly:
>> FORWARD_DENIED="ip.add.re.ss"
>> 1) One solution is to add the iptables DNAT/ACCEPT commands for all
> udp/tcp ports (1:65535) to FORWARD_DENIED, in the appropriate chain such
> that any OPEN_, HOST_OPEN_ or other NAT_FORWARD_'s have already matched,
> thereby only match the remainder.
>> I don't know what chain that would be.
This doesn't work as NAT as performed in the POST/PRE-routing chains.
Only selective NAT-ing will allow this (as I previously suggested).
>>> 2) A different approach would be to create a script (plugin) that
> calculates what are the "$remainder" ports to forward to FORWARD_DENIED
> that are not otherwise handled on the inbound EXTIF, and then
> automatically calculate the NAT_FORWARD...
>> Input: $HOST_OPEN_TCP, $OPEN_TCP, $NAT_FORWARD_TCP
>> Output: NAT_FORWARD_TCP="$NAT_FORWARD_TCP $remainder>$FORWARD_DENIED"
>> and for UDP as well.
>> This approach may be more difficult than it looks using shell script.
This would be way better yes. But someone needs to write it, and at
least I don't have the time nor the environment to do that at the moment...
>> Lonnie
cheers,
Arno
>> _______________________________________________
> Firewall mailing list
>Firewall at rocky.eld.leidenuniv.nl>http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall> Arno's (Linux IPTABLES Firewall) Homepage:
>http://rocky.eld.leidenuniv.nl>
--
Arno van Amersfoort
E-mail : arnova at rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---------------------------------------------------------------------------
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl